Behavioral Classification of Communication Sessions Using Active Session Initiation

1. A method for identifying a peer-to-peer protocol of a communication session in an Internet Protocol (IP) packet network, the method comprising: using a Deep Packet Inspection (DPI) process to classify a plurality of communication sessions in the network; measuring an amount of unclassified bandwidth of the communication sessions which the DPI process was unable to classify; responsive to the unclassified bandwidth exceeding a predetermined level, measuring behavioral characteristics of the unclassified bandwidth according to a ratio between upstream and downstream traffic and a distribution of packet arrival times; identifying, using the behavioral characteristics, a subset of the plurality of communication sessions such that sessions in the subset are suspected of using a target peer-to-peer communication protocol; selecting a candidate session from the subset; initiating a trial communication session with a node of the network participating in the candidate session, wherein the trial communication session imitates the target peer-to-peer communication protocol; responsively to receiving a positive response from the node to initiation of the trial communication session imitating the target peer-to-peer communication protocol, determining that one or more further sessions in the plurality are using the target peer-to-peer communication protocol; and controlling the one or more further sessions responsively to a predetermined control criterion that is applicable to the target peer-to-peer communication protocol.

2. The method according to claim 1 , wherein measuring the behavioral characteristics comprises measuring at least one characteristic selected from a group of characteristics consisting of a distribution of packet sizes, a number of open connections, a rate of opening new connections and a presence of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sessions between a pair of network nodes.

3. The method according to claim 1 , wherein determining that the one or more further sessions are using the target peer-to-peer communication protocol comprises extracting a parameter from data packets of the candidate session and verifying that the data packets in the one or more further sessions are using the extracted parameter.

4. The method according to claim 1 , wherein determining that the one or more further sessions are using the target peer-to-peer communication protocol comprises verifying that at least some of the sessions in the subset, other than the candidate session, are using the target peer-to-peer communication protocol.

5. The method according to claim 1 , wherein controlling the one or more further sessions comprises blocking the one or more further sessions.

6. The method according to claim 1 , wherein controlling the one or more further sessions comprises allocating a resource of the network to the one or more further sessions.

7. The method according to claim 6 , wherein the resource comprises at least one resource selected from a group of resources consisting of a bandwidth, a processing resource and a memory.

8. The method according to claim 1 , wherein initiating the trial session imitating the target peer-to-peer communication protocol comprises contacting the node participating in the candidate session using a temporary Internet Protocol (IP) address.

9. The method according to claim 8 , wherein contacting the node comprises selecting the temporary IP address responsively to the IP address used by the node, so as to cause the trial session imitating the target peer-to-peer communication protocol and the candidate session to have a common routing path in the network.

10. A network element for identifying a peer-to-peer protocol of a communication session in an Internet Protocol (IP) packet network, the network element comprising: a network interface, which is operative to communicate with the network; and a processor, which is coupled to: use a Deep Packet Inspection (DPI) process to classify a plurality of communication sessions in the network; measure an amount of unclassified bandwidth of the communication sessions which the DPI process was unable to classify; responsive to the unclassified bandwidth exceeding a predetermined level, measure behavioral characteristics of the unclassified bandwidth according to a ratio between upstream and downstream traffic and a distribution of packet arrival times; identify, using the behavioral characteristics, a subset of the plurality of communication sessions such that sessions in the subset are suspected of using a target peer-to-peer communication protocol; select a candidate session from the subset; initiate a trial communication session with a node of the network participating in the candidate session, wherein the trial communication session imitates the target peer-to-peer communication protocol; determine, responsively to receiving a positive response from the node to initiation of the trial communication session imitating the target peer-to-peer communication protocol, that one or more further sessions in the plurality are using the target peer-to-peer communication protocol; and control the one or more further sessions responsively to a predetermined control criterion that is applicable to the target peer-to-peer communication protocol.

11. The network element according to claim 10 , wherein the behavioral characteristics comprise at least one characteristic selected from a group of characteristics consisting of a distribution of packet sizes, a number of open connections, a rate of opening new connections and a presence of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sessions between a pair of network nodes.

12. The network element according to claim 10 , wherein the processor is coupled to extract a parameter from data packets of the candidate session, and to determine that the one or more further sessions are using the target peer-to-peer communication protocol by verifying that the data packets in the one or more further sessions are using the extracted parameter.

13. The network element according to claim 10 , wherein the processor is arranged to block the one or more further sessions upon determining that the one or more further sessions are using the target peer-to-peer communication protocol.

14. The network element according to claim 10 , wherein the processor is arranged to control allocation of a resource of the network to the one or more further sessions upon determining that the one or more further sessions are using the target peer-to-peer communication protocol.

15. The network element according to claim 10 , wherein the processor is arranged to contact the node participating in the candidate session using a temporary Internet Protocol (IP) address in the initiation of the trial session imitating the target peer-to-peer communication protocol.

16. A communication apparatus for identifying a peer-to-peer protocol of a communication session in an Internet Protocol (IP) packet network, comprising: means for using a Deep Packet Inspection (DPI) process to classify a plurality of communication sessions in the network; means for measuring an amount of unclassified bandwidth of the communication sessions which the DPI process was unable to classify; means for, responsive to the unclassified bandwidth exceeding a predetermined level, measuring behavioral characteristics of the unclassified bandwidth according to a ratio between upstream and downstream traffic and a distribution of packet arrival times; means for identifying, using the behavioral characteristics, a subset of the plurality of communication sessions such that sessions in the subset are suspected of using a target peer-to-peer communication protocol; means for selecting a candidate session from the subset; means for initiating a trial communication session using the target peer-to-peer communication protocol with a node of the network participating in the candidate session, wherein the trial communication session imitates the target peer-to-peer communication protocol; means for determining, responsively to receiving a positive response from the node to initiation of the trial communication session imitating the target peer-to-peer communication protocol, that one or more further sessions in the plurality are using the target peer-to-peer communication protocol; and means for controlling the one or more further sessions responsively to a predetermined control criterion that is applicable to the target peer-to-peer communication protocol.